- ClickOnce Security Overview
- Internet Explorer Security Settings Affecting ClickOnce
- Configuring ClickOnce Security Permissions
- Understanding and Managing Publisher Certificates
- Signing Application Updates
- User Prompting
- Trusted Applications' User Security Policies
- Trusted Publishers' Permission Elevation
- Adding Restricted Code Sections
- Securing the Application Based on User Roles
- Securing Access to ClickOnce Application Files on the Server
- Where Are We?
Internet Explorer Security Settings Affecting ClickOnce
Internet Explorer has several zone security settings that will impact your users' ability to launch a ClickOnce application on their machines.
- Script Activation: By default, script activation is disabled for ClickOnce applications coming from the Internet zone on Windows XP with Service Pack 2 and later platforms. This means that an Internet Web site cannot launch a ClickOnce .application file with a script. The setting that controls this in Internet Explorer is in the Tool > Internet Options > Security Tab > Custom Level button > Downloads > Automatic Prompting for File Downloads. If this is set to Enable, script activation of ClickOnce applications is allowed. If this is set to Disable, script activation is disallowed. The default setting is Enable for Intranet and Disable for Internet.
- Disable ClickOnce MIME Handler: If Downloads > File Download is set to Disable, launching any ClickOnce application over the Web (http or https) will result in the Security Alert message, "Your current security settings do not allow this file to be downloaded." By default this setting is enabled for all zones, so this will not usually be a problem.
- Disable Managed Code: If .NET Framework-Reliant Components > Run Components Not Signed with Authenticode is set to either Disable or Prompt, ClickOnce will be disabled. This setting must be set to Enabled for ClickOnce to work. The default value for this setting for all zones is Enabled.
Another Internet Explorer-related setting that you may want to be aware of is a registry key setting that determines whether users are prompted with a download dialog when they click on a link that points to a ClickOnce deployment manifest. The registry key in question is HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions\AlwaysPromptWhenDownload. When this DWORD value is set to 1, you will always get a file download prompt before the ClickOnce launch process starts. This registry key is not set by default, which lets ClickOnce start the launch process immediately when a link is clicked on.